Redmine

I propose a protected_settings feature so that server operators can lock specific Redmine settings in configuration.yml. Locked settings cannot be changed via the Settings page (Administration > Settings).

Overview:
Add a protected_settings section to configuration.yml. Keys listed there are enforced with the given values. The Settings page shows values but each input is disabled. Change attempts are ignored.

• Ensure critical policy settings stay fixed
• Reduce risk from accidental or unsafe changes

• Enforce strict security policies (e.g., keep the REST API disabled)
• Prevent unintended configuration changes by Redmine administrators
• Allow hosting providers to lock settings customers must not modify

Example (configuration.yml):

protected_settings:
  rest_api_enabled: 0
  attachment_max_size: 102400
  enabled_scm:
    - Subversion
    - Git

• REST API is always disabled
• Maximum attachment size fixed at 102400 (100 MB)
• Enabled SCM limited to Subversion and Git only

Prior example:
DokuWiki uses conf/local.protected.php to enforce listed settings and block changes in the web Configuration Manager. This proposal applies the same idea to Redmine.
https://www.dokuwiki.org/config#configuration_options